A first computing device sends a plurality of request messages to a second computing device that is outside a firewall associated with the first computing device, each request message of the plurality of request messages comprising a request for the second computing device to send a response message to the first computing device after a time period specified in the request message. The first computing device determines a timeout period of the firewall based on one or more response messages that are received responsive to the plurality of request messages. The first computing device sends or receives an additional message to or from the second computing device within the timeout period to prevent the firewall from blocking future messages from the second computing device.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method comprising: sending, by a first computing device that is behind a firewall, a first request message to a first port of a second computing device that is outside the firewall, wherein the first port is associated with a first flow of a plurality of concurrent flows between the first computing device and the second computing device, and wherein the first request message comprises a request for the second computing device to send a first response message to the first computing device after a specified first time period; sending, by the first computing device, a second request message to a second port of the second computing device that is associated with a second flow of the plurality of concurrent flows, the second request message comprising a request for the second computing device to send a second response message to the first computing device after a specified second time period that is greater than the specified first time period; and responsive to receiving the first response message and failing to receive the second response message, performing the following comprising: determining that a timeout period of the firewall is greater than the specified first time period and less than the specified second time period, wherein the failure to receive the second response message indicates that the second flow is terminated; keeping the first flow active by performing at least one of sending an additional message to the first port of the second computing device or receiving the additional message from the first port of the second computing device within the specified first time period to prevent the firewall from blocking future messages from the second computing device; determining a third time period that is greater than the specified first time period and less than the specified second time period; and sending a third request message to the second port, the third request message comprising a request for the second computing device to send a third response message to the first computing device after the third time period.
A computing device behind a firewall sends two requests to a server outside the firewall, each to a different port creating concurrent flows. The first request asks the server to respond after a short time. The second request asks the server to respond after a longer time. If the first response is received, but the second is not, the device determines the firewall timeout is between those times. To keep the first connection alive, the device sends or receives additional messages on the first port within the shorter time. It then sends another request to the second port, asking for a response after a time within the previously determined timeout range.
2. The method of claim 1 , wherein the first request message, the first response message, the second request message, the second response message, the third request message and the additional message are user datagram protocol (UDP) messages, and wherein the timeout period of the firewall is a timeout period for a UDP flow.
The method described in claim 1 uses UDP messages for the requests, responses, and keep-alive messages. The firewall timeout that's being determined is specifically the UDP timeout. Essentially, this is a UDP-specific implementation for maintaining a connection open by probing for the UDP firewall timeout period.
3. The method of claim 2 , further comprising performing the following responsive to a failure to receive the first response message and a failure to receive the second response message: sending a fourth request message to the second computing device, the fourth request message comprising a request for the second computing device to send a fourth response message to the first computing device after the specified first time period, the specified second time period or a specified fourth time period, wherein the fourth request message and the fourth response message are transmission control protocol (TCP) messages; and responsive to receiving the fourth response message, determining that an alternative timeout period of the firewall is less than or equal to the specified first time period, the specified second time period or the specified fourth time period.
In addition to the process described in claim 2 (using UDP messages), if both the first and second UDP responses are missed, a fourth request is sent using TCP. This TCP request asks for a response after one of several possible time periods. If the TCP response *is* received, the firewall's TCP timeout is determined to be less than or equal to the time period after which the TCP response was requested, first, second, or fourth time period. This handles cases where UDP is blocked, and TCP can be used to assess firewall behavior.
4. The method of claim 1 , further comprising performing the following responsive to receiving the first response message and receiving the second response message: determining that the timeout period of the firewall is greater than the specified second time period; keeping the first flow active by performing at least one of sending the additional message to the first port of the second computing device or receiving the additional message from the first port of the second computing device within the specified second time period to prevent the firewall from blocking future messages from the second computing device; determining a fourth time period that is greater than the specified second time period; and sending a fourth request message to the second port or a third port of the second computing device, the fourth request message comprising a request for the second computing device to send a fourth response message to the first computing device after the fourth time period.
If both the first and second responses (as described in claim 1) are received successfully, the device determines the firewall timeout is longer than the second time period. To keep the first connection alive, the device continues to send or receive additional messages on the first port within the second time period. A fourth request is sent, asking for a response after a fourth time period which is greater than the second. This tests for longer timeouts, continuing the probing process.
5. The method of claim 1 , further comprising: responsive to receiving the first response message and failing to receive the second response message, setting a first messaging frequency based at least in part on the specified first time period, wherein the first computing device sends keep-alive messages to the second computing device in accordance with the messaging frequency, and wherein the keep-alive messages do not call for responses.
After receiving the first response but failing to receive the second response (as in claim 1), the system sets a "keep-alive" frequency based on the first (shorter) time period. The device then sends keep-alive messages to the server at this frequency. These keep-alive messages do not require a response from the server, which is in contrast to the requests for responses previously.
6. The method of claim 5 , further comprising: setting a second messaging frequency that is less frequent than the first messaging frequency, wherein the first computing device sends probe messages to the second computing device in accordance with the second messaging frequency, and wherein the probe messages call for responses.
Building upon claim 5, a second, less frequent messaging rate is established for "probe" messages. Unlike the keep-alive messages which don't require responses, these probe messages do require the server to respond. This creates two tiers of message frequency: frequent, non-response keep-alives and infrequent, response-required probes.
7. The method of claim 1 , wherein the first computing device comprises an embedded system and the second computing device comprises a server computing device that provides a service to the embedded system.
In the method of claim 1, the first computing device is an embedded system, and the second computing device is a server. The embedded system relies on the server's services and utilizes the firewall probing method to maintain a reliable connection.
8. A non-transitory computer readable storage medium having instructions that, when executed by a processing device of a first computing device, cause the processing device to perform operations comprising: sending, by the processing device, a first request message to a first port of a second computing device that is outside a firewall associated with the first computing device, wherein the first port is associated with a first flow of a plurality of concurrent flows between the first computing device and the second computing device, and wherein the first request message comprises a request for the second computing device to send a first response message to the first computing device after a specified first time period; sending, by the processing device, a second request message to a second port of the second computing device that is associated with a second flow of the plurality of concurrent flows, the second request message comprising a request for the second computing device to send a second response message to the first computing device after a specified second time period that is greater than the specified first time period; and responsive to receiving the first response message and failing to receive the second response message, performing the following comprising: determining that a timeout period of the firewall is greater than the specified first time period and less than the specified second time period, wherein the failure to receive the second response message indicates that the second flow is terminated; keeping the first flow active by performing at least one of sending an additional message to the first port of the second computing device or receiving the additional message from the first port of the second computing device within the specified first time period to prevent the firewall from blocking future messages from the second computing device; determining a third time period that is greater than the specified first time period and less than the specified second time period; and sending a third request message to the second port, the third request message comprising a request for the second computing device to send a third response message to the first computing device after the third time period.
A non-transitory computer-readable storage medium (e.g., memory, disk) contains instructions that cause a computing device to: send two requests to a server outside a firewall, each to a different port creating concurrent flows. The first request asks the server to respond after a short time. The second request asks the server to respond after a longer time. If the first response is received, but the second is not, the device determines the firewall timeout is between those times. To keep the first connection alive, the device sends or receives additional messages on the first port within the shorter time. It then sends another request to the second port, asking for a response after a time within the previously determined timeout range.
9. The non-transitory computer readable storage medium of claim 8 , wherein the first request message, the first response message, the second request message, the second response message, the third request message and the additional message are user datagram protocol (UDP) messages, and wherein the timeout period of the firewall is a timeout period for a UDP flow.
Referring to the storage medium with instructions in claim 8, the requests, responses, and keep-alive messages all use UDP. The firewall timeout being determined is specifically the UDP timeout.
10. The non-transitory computer readable storage medium of claim 9 , the operations further comprising performing the following responsive to a failure to receive the first response message and a failure to receive the second response message: sending a fourth request message to the second computing device, the fourth request message comprising a request for the second computing device to send a fourth response message to the first computing device after the specified first time period, the specified second time period or a specified fourth time period, wherein the fourth request message and the fourth response message are transmission control protocol (TCP) messages; and responsive to receiving the fourth response message, determining that an alternative timeout period of the firewall is less than or equal to the specified first time period, the specified second time period or the specified fourth time period.
Further describing the storage medium of claim 9: if both UDP responses are missed, a fourth request is sent using TCP, asking for a response after one of several possible time periods. If the TCP response *is* received, the firewall's TCP timeout is determined to be less than or equal to the time period after which the TCP response was requested, first, second, or fourth time period.
11. The non-transitory computer readable storage medium of claim 8 , the operations further comprising: responsive to receiving the first response message and failing to receive the second response message, setting a first messaging frequency based at least in part on the specified first time period, wherein the processing device sends keep-alive messages to the second computing device in accordance with the messaging frequency, and wherein the keep-alive messages do not call for responses; and setting a second messaging frequency that is less frequent than the first messaging frequency, wherein the processing device sends probe messages to the second computing device in accordance with the second messaging frequency, and wherein the probe messages call for responses.
The storage medium in claim 8 also includes instructions to: after receiving the first response but failing to receive the second response, set a frequent keep-alive frequency based on the first (shorter) time period for non-response messages, and a less frequent rate for probe messages that require responses.
12. The non-transitory computer readable storage medium of claim 8 , wherein the first computing device comprises an embedded system and the second computing device comprises a server computing device that provides a service to the embedded system.
In the storage medium with instructions from claim 8, the first computing device is an embedded system, and the second computing device is a server. The embedded system relies on the server's services and utilizes the firewall probing method to maintain a reliable connection.
13. A client computing device comprising: a memory; and a processing device coupled to the memory, wherein the processing device is to: send a first request message to a first port of a second computing device, wherein the first port is associated with a first flow of a plurality of concurrent flows between the client computing device and the second computing device, and wherein the first request message comprises a request for the second computing device to send a first response message to the client computing device after a specified first time period; send a second request message to a second port of the second computing device that is associated with a second flow of the plurality of concurrent flows, the second request message comprising a request for the second computing device to send a second response message to the client computing device after a specified second time period that is greater than the specified first time period; and responsive to receiving the first response message and failing to receive the second response message, perform the following comprising: determine that a timeout period of a firewall interposed between the client computing device and the second computing device is greater than the specified first time period and less than the specified second time period, wherein the failure to receive the second response message indicates that the second flow is terminated; keep the first flow active by periodically sending an additional message to the first port of the second computing device within the specified first time period to prevent the firewall from blocking future messages from the second computing device; determine a third time period that is greater than the specified first time period and less than the specified second time period; and send a third request message to the second port, the third request message comprising a request for the second computing device to send a third response message to the first computing device after the third time period.
A client computing device includes memory and a processor. The processor sends two requests to a server, each to different ports, creating concurrent flows. The first asks the server to respond after a short time, the second after a longer time. If the first response arrives, but the second does not, the processor determines that the firewall timeout is between those two times. The device keeps the first connection alive by periodically sending messages on the first port within the shorter time. It then sends another request to the second port for a response after a time within the determined timeout range.
14. The client computing device of claim 13 , wherein the client computing device comprises an embedded system and the second computing device comprises a server computing device that provides a service to the embedded system.
The client computing device described in claim 13 is an embedded system, and the server is a server providing a service to the embedded system.
15. The method of claim 1 , wherein the specified first time period is known to be lower than the timeout period of the firewall.
The method of claim 1 includes the condition that the specified first time period is known to be less than the firewall timeout period, so that the first flow should always be active.
16. The non-transitory computer readable storage medium of claim 8 , the operations further comprising performing the following responsive to receiving the first response message and receiving the second response message: determining that the timeout period of the firewall is greater than the specified second time period; keeping the first flow active by performing at least one of sending the additional message to the first port of the second computing device or receiving the additional message from the first port of the second computing device within the specified second time period to prevent the firewall from blocking future messages from the second computing device; determining a fourth time period that is greater than the specified second time period; and sending a fourth request message to the second port or a third port of the second computing device, the fourth request message comprising a request for the second computing device to send a fourth response message to the first computing device after the fourth time period.
Further describing claim 8 (non-transitory storage medium): if both the first and second responses are received successfully, the device determines the firewall timeout is longer than the second time period. To keep the first connection alive, the device continues to send or receive additional messages on the first port within the second time period. A fourth request is sent, asking for a response after a fourth time period which is greater than the second.
17. The non-transitory computer readable storage medium of claim 8 , wherein the specified first time period is known to be lower than the timeout period of the firewall.
Further describing claim 8 (non-transitory storage medium): the specified first time period is known to be less than the firewall timeout period, so that the first flow should always be active.
18. The client computing device of claim 13 , wherein the first request message, the first response message, the second request message, the second response message, the third request message and the additional message are user datagram protocol (UDP) messages, and wherein the timeout period of the firewall is a timeout period for a UDP flow.
In the client computing device of claim 13, the requests, responses, and keep-alive messages all use UDP. The firewall timeout being determined is specifically the UDP timeout.
19. The client computing device of claim 18 , wherein the processing device is further to perform the following responsive to a failure to receive the first response message and a failure to receive the second response message: send a fourth request message to the second computing device, the fourth request message comprising a request for the second computing device to send a fourth response message to the first computing device after the specified first time period, the specified second time period or a specified fourth time period, wherein the fourth request message and the fourth response message are transmission control protocol (TCP) messages; and responsive to receiving the fourth response message, determine that an alternative timeout period of the firewall is less than or equal to the specified first time period, the specified second time period or the specified fourth time period.
Further describing the client computing device in claim 18: if both UDP responses are missed, a fourth request is sent using TCP, asking for a response after one of several possible time periods. If the TCP response *is* received, the firewall's TCP timeout is determined to be less than or equal to the time period after which the TCP response was requested, first, second, or fourth time period.
20. The client computing device of claim 13 , wherein the processing device is further to perform the following responsive to receiving the first response message and receiving the second response message: determine that the timeout period of the firewall is greater than the specified second time period; keep the first flow active by performing at least one of sending the additional message to the first port of the second computing device or receiving the additional message from the first port of the second computing device within the specified second time period to prevent the firewall from blocking future messages from the second computing device; determine a fourth time period that is greater than the specified second time period; and send a fourth request message to the second port or a third port of the second computing device, the fourth request message comprising a request for the second computing device to send a fourth response message to the first computing device after the fourth time period.
Further describing the client computing device in claim 13: if both the first and second responses are received successfully, the device determines the firewall timeout is longer than the second time period. To keep the first connection alive, the device continues to send or receive additional messages on the first port within the second time period. A fourth request is sent, asking for a response after a fourth time period which is greater than the second.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
June 18, 2014
May 23, 2017
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.